Description
NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, data tampering, and information disclosure.
Published: 2026-06-16
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The NeMo Framework for Linux contains a deserialization flaw that allows untrusted data to be processed, which can enable an attacker to run arbitrary code, elevate privileges, alter data, or leak sensitive information. The weakness is classified as CWE‑502 – deserialization of untrusted data.

Affected Systems

NVIDIA NeMo Framework for Linux is the affected product. No specific version information is provided in the CNA data, so any installation of the framework should be considered potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, leveraging the framework’s ability to receive serialized data from external sources; an attacker could send a crafted payload that triggers the flaw and achieves code execution.

Generated by OpenCVE AI on June 17, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest NVIDIA NeMo Framework patch that fixes the deserialization vulnerability.
  • Limit network exposure of NeMo Framework services to trusted hosts or networks.
  • Ensure that any serialized input is validated or sanitized before processing by the framework.

Generated by OpenCVE AI on June 17, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Deserialization Vulnerability in NVIDIA NeMo Framework Allows Remote Code Execution

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia nemo
CPEs cpe:2.3:a:nvidia:nemo:*:*:*:*:*:*:*:*
Vendors & Products Nvidia nemo

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia
Nvidia nemo Framework
Vendors & Products Nvidia
Nvidia nemo Framework

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, data tampering, and information disclosure.
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Nvidia Nemo Nemo Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-06-17T03:55:56.660Z

Reserved: 2026-01-21T19:09:36.965Z

Link: CVE-2026-24228

cve-icon Vulnrichment

Updated: 2026-06-16T16:53:30.870Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T17:16:39.590

Modified: 2026-06-16T20:38:29.477

Link: CVE-2026-24228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T20:45:03Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data